[Snort-sigs] " ..MS Terminal Server no encryption.. " misfire?
ben.dugdale at ...2751...
Fri Aug 27 11:12:13 EDT 2004
The "... MS Terminal Server no encryption session initiation attmept"
rule seems to be misfiring.
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
MISC MS Terminal Server no encryption session initiation attmept
Ease of Attack:
Connect to a MS Server using rdesktop.
The rdesktop man page seems to indicate that default use is encrypted.
>From the rdesktop man page...
-e Disable encryption. This option is only needed (and will only work) if you
have a French version of NT TSE.
-E Disable encryption from client to server. This sends an encrypted login
packet, but everything after this is unencrypted (including interactive
Either the rule is misfiring or rdesktop is not behaving as advertised. Evidence suggests a misfire.
More information about the Snort-sigs